TL;DR
Yaml.load() has the ability to construct an arbitrary Python object. This is dangerous if you receive a YAML document from an untrusted source.
Proof of concept
https://github.com/liberapay/liberapay.com/blob/master/liberapay/testing/vcr.py#L40
How do I fix it?
Always use yaml.safe_load(). This function limits this ability to simple Python objects like integers or lists.
If you have any questions
please comment on the report
best regards
mrrobot2050
Yaml.load() has the ability to construct an arbitrary Python object. This is dangerous if you receive a YAML document from an untrusted source.